TOR Based APK Trojan

Several security firms recently discovered TOR based malware on android platform. As we received the sample, we make some quick analysis on it.

XHTML

1

2

MD5:58FED8B5B549BE7ECBFBC6C63B84A728

SHA-1:2E6DBFA85186AF23A598694D2667207A254F8979

The sample has been reported to have C&C capability which is using unusual top level domain name (.onion). This TLD is usually used by TOR.
The use of Orbot TOR Client on this malware can be seen on its Java class:

The following screenshot is an example of permission that used by this malware and the capabilities to run TOR client:

We have discovered more functionality which is not just TOR but also taking advantage on SMS, contact, USSD, and listing installed apps.